PDF malware analysis — malicious · c893ea6d67e43010

MALICIOUS

PDF

94.9 KB Created: 2021-05-06 18:31:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 1cd6fb648cd31c438fd53d77fc1ea571 SHA-1: 7b45686ae5f4af2be89396956c54ec05153db380 SHA-256: c893ea6d67e43010f3933f5aac41f081ad1437504b2c7ace51814db29c4bd07c

156 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. Heuristics reveal it functions as a link farm, directing users to multiple potentially compromised or disposable hosting sites. The embedded URLs, such as http://ednak.com/wp-content/plugins/formcraft/file-upload/server/content/files/16071d1bc4522f---rozuzevefezenu.pdf, are likely part of a phishing or malware distribution scheme.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 6

ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM

PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://broadviewlibrary.org/uploaded_bvlib/file/fupimij.pdf
- https://siphouse96.com/wp-content/plugins/super-forms/uploads/php/files/bfe7a9e8ddf4c324ce379282ce4f0f46/duguwaxebaju.pdf
- https://auf.vn/wp-content/plugins/super-forms/uploads/php/files/vsnk0d9f17plic5ov0ghbjjo63/68912826582.pdf
- http://pebyte.com/wp-content/plugins/super-forms/uploads/php/files/f2kcgotf86rj2d0s169gbf1lpk/72682047498.pdf
- https://ehblending.com/wp-content/plugins/super-forms/uploads/php/files/fa71cc3bac55751f78058b2a1029f56c/sodovevuve.pdf
- https://haps.company/wp-content/plugins/super-forms/uploads/php/files/8t8hnqur1v5v6akpocv5hg6543/15104483575.pdf
- https://www.zulilighting.com/wp-content/plugins/super-forms/uploads/php/files/e1931a0ff3981f77d3a7091b1db80dfe/64457606770.pdf
- http://www.predoisiasociatii.ro/wp-content/plugins/formcraft/file-upload/server/content/files/160891fcc83f12---45529924579.pdf
- http://topopentertainment.com/wp-content/plugins/formcraft/file-upload/server/content/files/16087d98886127---maxakadakasu.pdf
- https://www.northernillumination.com/wp-content/plugins/super-forms/uploads/php/files/f3334028cfa4b7aa577f138ee2c7d199/63234822287.pdf
- https://www.ltgpartners.com/wp-content/plugins/super-forms/uploads/php/files/a9e80cf2c7e52447c9f53fc228e720ec/19205813257.pdf
- http://xn--b1ahhafccpgkb2bxo.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/a30d8367e89815872920728a7b28ed36/20063536508.pdf
- http://poorclarescork.ie/images/27468070210.pdf
- http://kirks-pool.com/wp-content/plugins/formcraft/file-upload/server/content/files/16091558371df0---kaxiwamixexolavo.pdf
- http://www.elsecretodelolivo.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607a0e2163c84---bevulilobovoli.pdf
- http://ednak.com/wp-content/plugins/formcraft/file-upload/server/content/files/16071d1bc4522f---rozuzevefezenu.pdf
- https://bbensonmft.com/wp-content/plugins/super-forms/uploads/php/files/6e7b9b4cc70add476d2bd08f961225be/45516594942.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://feedproxy.google.com/~r/Uplcv/~3/BvfzZFkJO3s/uplcv?utm_term=android+emulator+windows+10+x86
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0001350e.bin` `84c57b4fbc85969045170c60d28e0f37e32302e95e76770282fc5c8e299ce443`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1350E	5664 bytes
`font_01_sfnt_off00014850.bin` `7baa107f74359ec15f53b1283826d5bf0f92631ab13acf905fabcda1f8d977e1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x14850	11476 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.